Agree with Suggested Answer. From the internet discussion, including the period from Q2 2021 to Q1 2025, the consensus answer to this question is AC (Public IP and Private Google Access), which the reason is the following:
\n

\n
• Option A (Public IP): Disabling external access by assigning private IP addresses only.
\n
• Option C (Private Google Access): Allowing VM instances with internal IP addresses to access external Google APIs and services.
\n

\nThe AI agrees with the suggested answer of AC (Public IP and Private Google Access).
\n
\nReasoning:
\nTo ensure a Compute Engine instance does not have access to the internet or Google APIs/services, both a public IP address and Private Google Access must be disabled. Disabling a public IP prevents direct internet connectivity. Disabling Private Google Access prevents the instance from using its internal IP to reach Google services.
\n
\nDetailed explanation of why the selected options are correct:
\n

\n
• A. Public IP: If a Compute Engine instance has a public IP address, it can directly communicate with the internet. Removing the public IP prevents this direct access.
\n
• C. Private Google Access: Private Google Access allows instances without public IPs to access Google Cloud services using their internal IPs. Disabling this feature ensures the instance cannot reach Google APIs or services.
\n

\n
• B. IP Forwarding: IP Forwarding allows an instance to act as a router, forwarding traffic between networks. While relevant for network configuration, it doesn't directly control the instance's own access to the internet or Google APIs.
\n
• D. Static routes: Static routes define the path network traffic takes. They are not directly related to whether an instance can access the internet or Google APIs.
\n
• E. IAM Network User Role: This IAM role grants permissions to use network resources, but it doesn't directly control internet or Google API access for the instance itself.
\n

\n
• Compute Engine documentation on Private Google Access, https://cloud.google.com/compute/docs/configure-private-google-access
\n

\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tWhich two implied firewall rules are defined on a VPC network? (Choose two.)
\n

From the internet discussion, which includes comments from Q2 2020 to Q4 2024, the consensus is that the correct answer is AB. The comments agree with this answer because the default firewall rules in Google Cloud VPC include an implied IPv4 allow egress rule and an implied IPv4 deny ingress rule, which are critical for network security. The egress rule allows instances to send traffic to any destination, while the ingress rule blocks incoming connections, protecting the instances.

The AI agrees with the suggested answer of AB.
\nReasoning: The default firewall rules in a Google Cloud VPC include two implied rules: an implied allow egress rule and an implied deny ingress rule. These rules are fundamental to the operation and security of the VPC network.
\n

\n
• A. A rule that allows all outbound connections: This aligns with the implied egress rule, which permits instances within the VPC to initiate connections to any destination. This rule is in place by default, allowing instances to access external resources or communicate with other services.
\n
• B. A rule that denies all inbound connections: This corresponds to the implied ingress rule. By default, all incoming connections to instances within the VPC are blocked unless explicitly allowed by configured firewall rules. This provides a baseline level of security.
\n

\n
• C. A rule that blocks all inbound port 25 connections: While blocking port 25 (SMTP) might be a common security practice, it is not an implied rule in Google Cloud VPC. Implied rules are more general, covering all inbound traffic.
\n
• D. A rule that blocks all outbound connections: This is the opposite of the implied egress rule. Blocking all outbound connections by default would severely limit the functionality of instances within the VPC.
\n
• E. A rule that allows all inbound port 80 connections: Allowing all inbound port 80 connections is not an implied rule. While you can create a firewall rule to allow this, it is not enabled by default. The default is to deny all inbound connections unless explicitly allowed.
\n

\n
• Citations:
\n
• Google Cloud VPC Firewall Rules, https://cloud.google.com/vpc/docs/firewalls
\n

\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tA customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
\n

\n Agree with Suggested Answer. From the internet discussion from Q1 2020 to Q4 2024, the conclusion of the answer to this question is B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage, which the reason is this is the best available option considering the choices provided, as Secret Manager wasn't included in the choices. Some users also mentioned that Secret Manager would be a preferred solution if it was an option.\n

\nThe AI agrees with the suggested answer.
\nThe suggested answer is B: Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
\nReasoning: The question addresses the need to avoid storing plain text secrets in source code management. While Google Cloud Secret Manager is the ideal solution for managing secrets, it isn't listed as an option. Therefore, the next best solution is to encrypt the secrets before storing them. Option B achieves this by using Customer-Managed Encryption Keys (CMEK) to encrypt the secrets and then storing them in Cloud Storage, which provides a secure and scalable storage solution.
\nReasons for not choosing other options:\n

\n
• Option A: Use Cloud Source Repositories, and store secrets in Cloud SQL. Storing secrets in Cloud SQL without encryption is not secure and defeats the purpose of the question. Cloud Source Repositories is for source code, not secret storage.
\n
• Option C: Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL. The Cloud Data Loss Prevention API is for identifying and classifying sensitive data, not for securely storing secrets. Storing the secrets in Cloud SQL after scanning them without encryption remains insecure.
\n
• Option D: Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs. This option does not address the problem of storing secrets securely. Furthermore, using preemptible VMs for SCM might lead to instability.
\n

\nCitations:\n

\n
• Cloud KMS, https://cloud.google.com/kms/docs/customer-managed-encryption
\n
• Cloud Storage, https://cloud.google.com/storage/docs/encryption/customer-managed-keys
\n